Joplin OneNote Importer Path Traversal Vulnerability Allowing Arbitrary File Overwrite

A path traversal vulnerability has been identified in the Joplin note-taking application, specifically within the OneNote importer feature. This vulnerability exists in Joplin versions 3.2.2 through 3.5.6. The issue arises because the OneNote converter does not properly sanitize file names of embedded files before saving them to disk. Consequently, an attacker can craft a malicious .one file with file names that include traversal sequences, such as ../../, which are interpreted as part of the file path. This allows for overwriting of arbitrary files on the user's system. The vulnerability has been patched in Joplin version 3.5.7.

Impact

Exploitation of this vulnerability allows for arbitrary file overwriting, with the potential to replace sensitive files, such as the user's .bashrc file on Linux systems. In Joplin, this could lead to remote code execution.

Reproduction

To reproduce this vulnerability, import a crafted OneNote file that contains embedded file names with traversal sequences into Joplin versions 3.2.2 through 3.5.6. After the import, check the application's log file, which will show that it has been overwritten with non-log content, such as a WAV file. This proof-of-concept has been tested on Joplin 3.4.12 and 3.5.6 on Fedora Linux 43.

Remediation

Users can update to Joplin version 3.5.7, where this vulnerability has been patched.